How secure is your website? Are you using Salted Password?

Most of people think, their website has anything worth being hacked for, but websites are compromised all the time. Firstly, most of the time website hacking is not to steal your data or deface your website, instead attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature. Secondly, common ways to abuse compromised machines include using your servers as part of a botnet, or to mine for Bitcoins. You could even be hit by ransomware. Hacking is done by automated scripts written to scour the Internet to exploit known website security issues in software. Here are few tips to keep your site safe.

SQL injection:  SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use, standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterized queries.

Keep software up to date: This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them. If you are using a managed hosting solution, then you don't need to worry so much about applying security updates for the operating system as the hosting company should take care of this.

Error messages: We often think to provide error message in detailed way, which would help users and developers to know the cause. Be careful with how much information you give away in your error messages. Provide only minimal errors to your users, to ensure they don't leak secrets present on your server. Don't provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs, and show users only the information they need.

Server side validation: Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a number only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.

Cross-site scripting (XSS): The key here is to focus on how your user-generated content could escape the bounds you expect and be interpreted by the browser as something other than what you intended. This is like defending against SQL injection. When dynamically generating HTML, use functions which explicitly make the changes you're looking for, or use functions in your templating tool that automatically do appropriate escaping, rather than concatenating strings or setting raw HTML content.

Use Salted Passwords: Passwords should always be stored as encrypted values, preferably using a one-way hashing algorithm such as SHA. Using this method means when you are authenticating users you are only ever comparing encrypted values. For extra website security, it is a good idea to salt the passwords, using a new salt per password. In the event of someone hacking in and stealing your passwords, using hashed passwords could help damage limitation, as decrypting them is not possible. The best someone can do is a dictionary attack or brute force attack, essentially guessing every combination until it finds a match. When using salted passwords, the process of cracking many passwords is even slower as every guess must be hashed separately for every salt + password which is computationally very expensive.

HTTPS: It guarantees to users that they're talking to the server they expect, and that nobody else can intercept or change the content they are seeing in transit. If you have anything that your users might want private, it's highly advisable to use only HTTPS to deliver it. That of course means credit card and login pages (and the URLs they submit to) but typically far more of your site too. A login form will often set a cookie for example, which is sent with every other request to your site that a logged in user makes, and is used to authenticate those requests. An attacker stealing this would be able to perfectly imitate a user and take over their login session. To defeat these kind of attacks, you almost always want to use HTTPS for your entire site.

File uploads: Allowing users to upload files to your website can be a big website security. The recommended solution is to prevent direct access to uploaded files all together. This way, any files uploaded to your website are stored in a folder outside of the webroot or in the database as a blob. If your files are not directly accessible you will need to create a script to fetch the files from the private folder (or an HTTP handler in .NET) and deliver them to the browser. Image tags support an src attribute that is not a direct URL to an image, so your src attribute can point to your file delivery script providing you set the correct content type in the HTTP header. If you are allowing files to be uploaded from the Internet only use secure transport methods to your server such as SFTP or SSH.

Most CMSes have a lot of inbuilt website security features, but it is a still a good idea to have knowledge of the most common security exploits so you can ensure you are covered.

   Comment    14-06-2017 7 : 11 AM